inbtwn

here comes the no notes ghost 👻

  • he/they

hi there. i'm inbtwn. nice to meet ya!

i sometimes post about Things, mostly niche internet things like youtube videos, webcomics, etc. but i also reblog (rebug) a LOT of cool things so uhhh be warned



NireBryce
@NireBryce

ATTENTION: if you have a google pixel 6+ or a galaxy S22 or medium-to-lower-end samsung galaxy phone in the last few years, you need to turn off Voice/video over LTE, and Wifi Calling, as soon as you can. there's instructions in the article at the bottom of this post

edit3: maybe not VoLTE as it might just straight up disable your ability to call (i can't check, p6 doesn't have the option), but in those cases if you have Google voice you might be able to set up call forwarding for now

there's a remote code execution vulnerability in your phone's baseband firmware. they're disclosing early, but not disclosing the vulns, so there's a chance it's not in the wild yet, but people may start trying to reverse engineer it from the details

check if your car or watch are vulnerable, if they also run android.
edit: I believe on the pixels, they've moved to 5g so VoLTE isn't there. I'd still maybe disable video-over-carrier just in case.
edit2: maybe not, check comments edit 4: Check bottom for errata

it goes directly from internet to baseband-level (tl;dr: the second OS inside your phone that powers the LTE/5G modem) remote code execution. This is morally equivalent to getting code running on your WiFi card [something with direct low-level access to everything your phone does].

Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.

I haven't looked deep enough to know if they've found anything in the wild, but after things are announced is the time to be... even more careful, because, well, now even more people will be looking for it.

errata: